iOS 26 Passkeys: Passkey Enhancements Analysis (WWDC25)

Explore the key passkey enhancements in iOS 26. This guide covers the new Passkey Account Creation API, secure import/export and lifecycle management.

1. Introduction: iOS 26 Passkeys#

The release of iOS 26 moves Apple's passkey strategy from foundational to mature, delivering enhancements to address developer friction and user lock-in. The key improvements focus on credential portability, frictionless onboarding and complete lifecycle management.

Feature/Enhancement	Core Purpose	Key Apple API / Standard
Secure Passkey Import/Export	Eliminate vendor lock-in with user-controlled credential migration.	`ASCredentialExportManager`, `ASCredentialImportManager`, FIDO CXP
Passkey Account Creation API	Enable one-tap, passkey-first account registration.	`ASAuthorizationAccountCreationProvider`
Passkey Management Endpoints	Improve discoverability of a service's passkey management pages.	`/.well-known/passkey-endpoints`
WebAuthn Signal API Support	Keep passkey metadata synchronized between service and credential manager.	`ASCredentialUpdater`, WebAuthn Signal API

2. Secure Passkey Import and Export#

iOS 26 introduces secure credential portability, allowing users to move passkeys between iCloud Keychain and third-party managers like 1Password. Built on the FIDO Alliance's Credential Exchange Protocol (CXP), the transfer is user-initiated, requires biometrics and occurs directly app-to-app, avoiding insecure intermediate files.

Want to try passkeys yourself in a passkeys demo?

Try Passkeys

For developers of credential managers, Apple introduced ASCredentialExportManager and ASCredentialImportManager. This portability required a deliberate trade-off: deprecating device-specific attestation for exportable credentials. For passkeys synced via iCloud Keychain, Apple's implementation sends a zeroed-out AAGUID, a strategic choice that prioritizes ecosystem openness and user privacy over hardware verification for most consumer use cases.

Passkey Creation in iOS 26

3. Passkey Account Creation API#

The new Passkey Account Creation API enables a passwordless-by-default onboarding experience. Developers can invoke a native system UI that handles account creation and passkey provisioning in a single, frictionless step.

For more details about the implementation and impact, please refer to our dedicated blog post about the Passkey Account Creation API.

Passkey Overlay in iOS 26 Apps

Passkey Login in iOS 26

4. Enhancements for the Full Passkey Lifecycle#

iOS 26 introduces critical enhancements for managing passkeys throughout their lifecycle.

Passkey Management Endpoints: By hosting a simple JSON file at /.well-known/passkey-endpoints, services can declare their passkey enrollment and management URLs, allowing credential managers to link users directly to the correct pages.
WebAuthn Signal API: Support for the W3C's WebAuthn Signal API allows a service to proactively "signal" changes to the user's device (e.g., username changes), ensuring the passkey stored locally remains accurate. This is available to native apps via the ASCredentialUpdater class and to websites via a corresponding JavaScript API in the browser.

iOS 26 Passkey Settings

5. Conclusion#

The passkey enhancements in iOS 26 represent a comprehensive approach to advancing digital security and user convenience. These enhancements focus on four key areas: secure credential portability, seamless account creation, effective passkey lifecycle management, and synchronization of passkey metadata. Together, these improvements aim to reduce friction, enhance user privacy, and promote widespread adoption of passkeys as a secure alternative to traditional authentication methods. By addressing both user and developer needs, iOS 26 sets a new standard for digital identity management.